Devices That Tell On You: The Nike+iPod Sport Kit

Page created by Paul Casey
 
CONTINUE READING
Devices That Tell On You: The Nike+iPod Sport Kit
Devices That Tell On You: The Nike+iPod Sport Kit

                          T. Scott Saponas, Jonathan Lester, Carl Hartung, Tadayoshi Kohno
                                    Department of Computer Science and Engineering
                                      University of Washington, Seattle, WA, 98195
                              http://www.cs.washington.edu/research/systems/privacy.html

                                                    November 30, 2006

ABSTRACT                                                        a person, Alice, can place in her shoe and a receiver which
Personal sensing devices are becoming more commonplace          Alice can attach to her iPod Nano; see Figures 1 and 2.
in everyday life. Unfortunately, radio transmissions from       When Alice walks or runs, the sensor in her shoe senses
these devices can create unexpected privacy concerns if not     information about Alice’s movement and wirelessly trans-
carefully designed. We demonstrate these issues with a          mits this information to the iPod Nano through the re-
widely-available commercial product, the Nike+iPod Sport        ceiver. The iPod can then provide Alice with audio feed-
Kit, which contains a sensor that users put in one of their     back about her workout, such as the total distance traveled
shoes and a receiver that users attach to their iPod Nanos.     or calories burned. Although the sensor has an on-off but-
                                                                ton, the Nike+iPod Sport Kit online documentation [26]
We find and technically explore example scenarios, such as      recommends that most users should leave their sensors in
stalking, where the Nike+iPod Sport Kit’s design can lead       the on position, and we believe this to be the common case
to a compromise of personal privacy and safety. Our re-         in practice.1 Similarly, the fourth heading in the same online
sults exploit the fact that, when a Nike+iPod user walks        documentation [26] implies that Apple is concerned about
or runs, the user’s Nike+iPod sensor broadcasts a unique        trackability issues; however, we find that their design allows
identifier that can be detected up to 60 feet away. We im-      for tracking users via their sensors.2
plement a prototype surveillance system that can track peo-
ple wearing Nike+iPod sensors, plotting their location on a     We stress, however, that there is no evidence that Apple or
GoogleMaps-based website and emailing and text-messaging        Nike intended for these devices to be used in any malicious
real-time surveillance data to an attacker. Our surveillance    manner. Additionally, neither Apple nor Nike endorsed this
system can track individuals when they are working out,         study.
as well as when they are casually walking and do not have
their iPods with them. The smallest node in our real-time       Privacy, Personal Safety, and the Nike+iPod Sport
surveillance system is currently a miniature gumstix com-       Kit. Despite broad public awareness of the potential privacy
puter (8cm x 2.1cm x 1.3cm). We also develop a method           risks associated with pre-existing technologies, like concerns
to convert a third-generation iPod into a surveillance de-      over RFID tags in Gillette razors [24] and library books [25],
vice. Using a second-generation Intel Mote and a Microsoft      and despite Apple’s apparent awareness that trackability
SPOT Watch, we develop the means for an attacker to ob-         can be undesirable, we find that in the common case the
tain real-time surveillance data on his or her wrist watch.     Nike+iPod Sport Kit still fails to offer even the most ba-
To counterbalance our attacks, we present simple changes        sic level of user privacy to nearby devices: a Nike+iPod
to the Nike+iPod Sport Kit’s design that, if implemented,       sensor is an active device that continuously broadcasts a
would have significantly improved the kit’s resistance to the   unique identifier when a user is walking or running, even
attacks in this paper. This work suggests a greater need for    when the user’s iPod is not nearby. Moreover, our results
rigorously evaluating the privacy of new technologies before    show that, compared to some conventional passive RFIDs,
deployment.                                                     the Nike+iPod Sport Kit significantly lowers the bar for an
                                                                adversary since (1) the receive range for Nike+iPod sensors
                                                                is greater than the read range for certain classes of conven-
1.   INTRODUCTION                                               tional passive RFIDs and (2) it is easy and cheap for an
As technology continues to advance, more and more comput-
                                                                attacker to implement some of our attacks — for example,
ers will permeate our everyday lives; while the last computer
                                                                we show how an attacker could use a third-generation iPod
revolution placed a single computer in front of a vast major-
                                                                together with a Nike+iPod receiver as a surveillance device.
ity of our population, the next revolution is poised to place
many computers into our environment and onto us. While
the many-to-one computational revolution will have many         1
positive aspects, our individual privacy is increasingly en-      The exact quotation from [26] is, “Most Nike+iPod runners
dangered by this advancing wave of technological gadgetry.      and walkers can just drop the sensor in their Nike+ shoes
                                                                and forget about it.”
                                                                2
                                                                  To provide the precise quotation, the fourth heading in [26]
We study one of the latest such consumer gadgets: the           reads “Does it [the Nike+iPod Sport Kit] use GPS and does
Nike+iPod Sport Kit from Apple Computer, Inc. Contained         this mean you can track my movements?” The stated answer
within the $29 (USD) kit are two modules: a sensor that         to this question is a single word, “No.”
Devices That Tell On You: The Nike+iPod Sport Kit
To make this discussion more concrete, we next consider
some example scenarios in which an adversary might ex-
ploit the Nike+iPod design for nefarious purposes. These
examples show that a failure to provide adequate privacy
can lead to a compromise of consumers’ personal safety. We
defer further details to the body of this paper.

Stalking. A malicious person could exploit the Nike+iPod’s
design and the sensor’s wide broadcast radius for stalking
purposes. In our first example scenario, Alice is a college
student who regularly wears her Nike+ shoes while walk-
ing between home, class, the library, the student union, the
gym, and her friends’ homes. Her ex-boyfriend, Marvin,              Figure 1: An un-opened Nike+iPod Sport Kit.
is unable to come to terms with their separation and still
wishes to have some interaction with her. If Marvin places
specially-crafted devices (a.k.a. nodes or Nike+iPod detec-
tors) by each of the above-mentioned locations, then he can
remotely detect exactly when Alice enters and leaves a par-
ticular location (by detecting the unique identifier associated
with Alice’s Nike+iPod sensor). Not only is simply collect-
ing this information a potential violation of Alice’s privacy,
but this information could also enable Marvin to perform
some malicious action. At a minimum, Marvin could some-
how “accidentally” find himself bumping into Alice at “ran-
dom” places, as if by coincidence.

Prototype Surveillance System. We implemented a                   Figure 2: A Nike+iPod sensor in a Nike+ shoe and
prototype surveillance system, much like the one Marvin           a Nike+iPod receiver connected to an iPod Nano.
would deploy in the above scenario. Our surveillance sys-
tem consists of multiple Nike+iPod detector nodes (e.g., a
$109 gumstix with an attached $79 wifistix and a Nike+iPod        physically observes and selects a victim, the stalker could
receiver). When a node detects a broadcasting Nike+iPod           access the database of stored logs and immediately know
sensor, the node knows that the sensor is nearby. The node        significantly more information about this particular victim’s
then sends a message using WiFi to a central database; the        habits, and perhaps even predict where this victim will be
message contains the location of the node (latitude and lon-      in the next hour and intercept him or her there.
gitude), the four-byte unique identifier for the Nike+iPod
sensor, and the time the sensor was detected. The central         We consider additional scenarios and attack variants in the
database aggregates all the data from all the nodes and pub-      body of this paper.
lishes a GoogleMaps overlay showing the locations at which
Nike+iPod sensors were recently detected. By looking at           Our tools. Toward exploring the potential privacy impli-
this website, Marvin can learn if Alice is near the library,      cations of the Nike+iPod Sport Kit, we developed the fol-
the gym, and so on.                                               lowing set of attack tools:

Extensions and Variations. There are several natural
extensions to the above scenario. For example, we imple-             • We developed an iPod dock serial-to-USB adaptor,
mented an extension allowing Marvin to have the system                 which allows us to plug a Nike+iPod receiver into any
send him SMS messages or emails when Alice changes her                 device with a USB port.
location, thereby providing Marvin with a continuous up-
                                                                     • We developed a Nike+iPod Serial Communication Tool
date of Alice’s location. Marvin could also correlate Al-
                                                                       for Windows XP machines. This tool can collect and
ice’s location information with the location information of
                                                                       visually display data about nearby Nike+iPod sensors,
others; thereby possibly inferring information about Alice’s
                                                                       and can feed data in real-time to a back-end SQL
new boyfriend or other associates. In the case where Alice
                                                                       server as part of a larger surveillance system.
doesn’t own a Nike+iPod kit, Marvin could maliciously im-
plant a sensor in one of Alice’s shoes, thereby enabling the         • We created a small Nike+iPod detector (8cm x 2.1cm
above attacks.                                                         x 1.3cm) from a $109 gumstix connex 200xm, a $79
                                                                       wifistix, a $27.50 gumstix breakout board, a $2.95 fe-
Other malicious parties could also use the above system to             male iPod dock connector, and a $29 Nike+iPod re-
track large populations of individuals simultaneously. They            ceiver. This Nike+iPod detector can log data inter-
could look for commuting and socializing habits and single             nally and can wirelessly feed data in real-time to a
out a particular victim based on his or her profile, e.g., by          back-end server as part of a larger surveillance system.
finding the lone jogger who likes to run at 4am, along with            Without the wifistix, our gumstix Nike+iPod detector
his or her running route. Alternatively, after the stalker             can still collect data for offline post-processing.
Devices That Tell On You: The Nike+iPod Sport Kit
If others were to make our software (or the equivalent)    Alternate Designs. We consider alternatives to the ex-
     available on the Internet, then it would require only      isting Nike+iPod design that, if implemented, would have
     minimal technical sophistication — the ability to fol-     significantly improved the privacy-preserving properties of
     low online instructions for installing software onto the   the Nike+iPod kit. While our design alternatives are more
     gumstix and some soldering — for an attacker to cre-       privacy-preserving than the current Nike+iPod design, we
     ate his or her own gumstix-based Nike+iPod detector.       acknowledge that implementing our alternatives may affect
                                                                battery life, manufacturing cost, and usability under some
   • We created a second small Nike+iPod detector module        circumstances.
     (5cm x 3.8cm x 2.5cm) using a second-generation In-
     tel Mote (iMote2) running Linux. Our iMote2 module         Discussion. While the central focus of this study is on
     can wirelessly communicate information about nearby        understanding, exploiting, and improving the design of the
     Nike+iPod sensors to a paired Microsoft SPOT Watch         Nike+iPod Sport Kit, the implications of this work are much
     using bluetooth. An adversary could hide the iMote2        broader. Namely, while trackability based on personal de-
     in his or her pocket and observe real-time surveillance    vices is not new — indeed, it is well-known that the pos-
     data on his or her wrist watch. The iMote2 could           session of traditional passive RFIDs, discoverable bluetooth
     also be hidden in an environment and passively record      devices, and WiFi devices can enable tracking by third par-
     surveillance information for subsequent offline analy-     ties — the key contribution here is showing that new devices
     sis. For example, the iMote2 could be hidden in the        are still being introduced without strong privacy-preserving
     bushes near a popular running trail, behind a library      mechanisms. Our hope is that this work will further moti-
     book, or inside a restroom paper towel dispenser.          vate industry members and the computer science research
                                                                community to work together to better understand and ad-
   • We also converted a used, third-generation iPod into       dress the full privacy implications of future devices, as well
     a Nike+iPod surveillance device. Such iPods are of-        as to work towards retroactively improving the privacy of
     ten available on eBay for approximately $100. As           existing technologies.
     with our gumstix-based Nike+iPod detector, creating
     a third-generation iPod-based surveillance device only     Overview. Section 2 discusses our initial technical explo-
     requires marginal technical sophistication: an adver-      ration into the design of the Nike+iPod system. Next, Sec-
     sary would purchase a Nike+iPod Sport Kit and a few        tion 3 discusses our experiments measuring the various char-
     additional parts, would perform a minimal amount of        acteristics of the Nike+iPod sensors. We then describe how
     soldering, and would download and install some soft-       we instrumented tools for creating surveillance systems us-
     ware that others could make available on the Inter-        ing the Nike+iPod receiver in Section 4. Section 5 gives ex-
     net. The converted iPod could serve as a node in some      ample scenarios where attackers could use these system to
     larger surveillance system. Although the iPod’s data       stalk victims, and we discuss the implications of our work in
     would not be available to the larger surveillance sys-     Section 6. Section 7 discusses related work. Finally, Section
     tem in real-time, an adversary could still view real-      8 concludes the paper.
     time surveillance data on the iPod’s screen.

   • As noted above, we implemented a prototype surveil-
     lance system capable of incorporating data from mul-       2. DISCOVERING THE NIKE + IPOD
     tiple Nike+iPod detectors. The surveillance system
     can either display a map of real-time Nike+iPod sen-
                                                                   PROTOCOL
     sor locations, or a historical view of the map. The        The Nike+iPod Sport Kit. The Nike+iPod Sport Kit al-
     system can send emails or SMS text messages con-           lows runners and walkers to hear real time workout progress
     taining real-time surveillance information. In real-time   reports on their iPod Nanos and to view their workouts on-
     mode, the current data sources can be Windows XP           line at http://www.nike.com/nikeplus/. A typical user
     machines and gumstixs. In historical mode, the cur-        would purchase an iPod Nano, a Nike+iPod Sport Kit, and
     rent data sources can be Windows XP machines, gum-         either a pair of Nike+ shoes or a special pouch to attach to
     stixs, iMote2s, and third-generation iPods.                non-Nike+ shoes. The Nike+iPod kit costs $29 and consists
                                                                of a receiver and a sensor ; see Figure 1. Users place the
                                                                sensor from the kit in their left Nike+ shoes and attach the
We stress that we did not implement our prototype at-           receiver to their iPod Nanos as shown in Figure 2.
tack systems in order to aid potential stalkers or other ad-
versaries, and we do not plan to distribute our software.       The sensor is a 3.5cm x 2.5cm x 0.75cm plastic encased
Rather, we implemented our systems in order to better un-       device, and the receiver is a 2.5cm x 2cm x 0.5cm plastic en-
derstand the capabilities of an attacker and to demonstrate     cased device. When a person runs or walks the sensor begins
that the attack scenarios that we describe are of practical     to broadcasts sensor data via a radio transmitter whether
concern.                                                        or not an iPod Nano is present. When the person stops
                                                                running or walking for ten seconds, the sensor goes to sleep.
While we have used our tools to track ourselves and consent-    When the iPod Nano is in workout mode and the receiver’s
ing colleagues, in order to respect the privacy of others, we   radio receives sensor data from the sensor, the receiver will
did not actually deploy our systems to track unsuspecting       relay (a function of) that data to the iPod Nano, which will
individuals. Consequently, we do not present the results of     then give feedback to the person on his or her workout.
a full distributed surveillance experiment in this paper.
Devices That Tell On You: The Nike+iPod Sport Kit
Figure 4: A Nike+iPod receiver fully removed from
                                                                  its protective case. The blue wire is attached to the
                                                                  iTXD pin, the green wire to the iRXD pin, and the
                                                                  black wire is attached to ground.

   Figure 3: A broken-open Nike+iPod receiver.
                                                                  sor and a receiver. Having made this observation, we then
                                                                  commenced to uncover more details about the Nike+iPod
The iPod software offers a variety of workout modes: Basic,       protocol.
Time, Distance, and Calories. The Basic mode allows one to
select music to listen to during a workout and monitors dis-      The Hardware. The Nike+iPod Sport Kit receiver com-
tance, running pace, and calories burned. At anytime dur-         municates with the iPod Nano through the standard iPod
ing the workout, the user may press the center button of the      connector. Examining which pins are present on the re-
iPod and spoken feedback over the headphones announces            ceiver’s connector and comparing those pins with online
how much time has elapsed since beginning the workout, the        third-party pin documentation [17], we determined commu-
distance run so far, and the current pace (in terms of minutes    nication was most likely being done over a serial connection.
per mile or km). The Time, Distance, and Calories modes
are similar to the Basic mode, except they allow the user to      Opening the white plastic case of the receiver reveals a com-
set a target workout duration, distance to run, or calories       ponent board and the pin connections to the iPod connec-
to burn, respectively. At the conclusion of a workout users       tor. There are ten pins in use; three of these pins are used in
sync their iPod with iTunes and the workout information is        serial communication: ground, iPod transmit (iTXD), and
sent to NikePlus.com. The NikePlus web site gives users           iPod receive (iRXD); see Figures 3 and 4. We verified that
several visualizations of their workouts, the ability to chal-    digital data was being sent across this serial connection by
lenge others to workout competitions, as well as a forum for      connecting an oscilloscope over the iRXD and ground while
discussing running.                                               the open receiver was connected to the iPod. This also al-
                                                                  lowed us to measure the bit width and establish that the
Initial Analysis. Our first goal was to learn how the             serial connection was using the data rate of 57.6 Kbps. We
Nike+iPod sensor communicates with the receiver. Accord-          then soldered wires onto the ground, iTXD, and iRXD pins
ing to the Nike+iPod documentation, a sensor and receiver         and connected them to the serial port of our computer.
need to be linked together before use; this linking process in-
volves user participation. Once linked, the receiver will only    With the receiver connected to the iPod we turned on the
report data from that specific sensor, eliminating readings       iPod and saw data sent in both directions over the serial
from other users’ sensors. The receiver can also remember         connection. In the data transmitted by the iPod, the se-
the last sensor to which it was linked so that users do not       rial number of the iPod is sent in ASCII. Similarly, in the
need to perform the linking step every time they turn on          data transmitted by the receiver, the receiver’s serial num-
their iPods. The receiver can also later be linked to a differ-   ber and the serial number of the last sensor that was used
ent sensor (for a replacement sensor or different user), but      in a workout with the receiver is sent in ASCII.
under the standard user interface the receiver can only be
linked to one sensor at any given time.                           Serial Communications. As noted above, before the re-
                                                                  ceiver can be used with a new sensor, the sensor must be
We observed, however, that a single sensor could be linked        linked with the receiver. This is initiated by the user through
to two receivers simultaneously, meaning that two people          menus in the iPod interface. The user is asked to walk
could use their iPod Nanos and the standard user interface        around so that the sensor can be detected by the receiver.
to read the data from a single Nike+iPod sensor at the same       When the link process is started, the iPod sends some data
time. Further investigation revealed that the sensor was a        to the receiver. Then, the receiver begins sending data until
transmitter only, meaning that it was incapable of knowing        the new sensor is discovered and linked by the receiver. Fi-
what iPod or receiver it was associated with. This observa-       nally, the iPod sends some more data back to the receiver.
tion provides the underlying foundation for our work since        In this last chunk of data from the iPod, the serial num-
it concretely shows that a Nike+iPod Sport Kit does not en-       ber of the new sensor is sent in ASCII. A transcript of the
force a strong, exclusive, one-to-one binding between a sen-      communications is show in Figure 5.
Devices That Tell On You: The Nike+iPod Sport Kit
Figure 5: The figure on the left shows our approach for passively monitoring the serial communications
between an iPod and the Nike+iPod receiver; the communications between the iPod and the receiver are
over a physical, serial connection, and the communication from the sensor to the receiver is via a radio. The
figure in the middle shows our approach for directly controlling a Nike+iPod receiver from a computer; the
communication from the computer to the Nike+iPod receiver is over a physical serial connection. The figure
on the right shows our approach for translating between a sensor’s UID and the sensor’s serial number.

                                                                37625122). We assumed this to be a unique identifier per
                                                                sensor that the iPod Nano software somehow maps to the
                                                                ASCII serial number of the sensor in order to send the serial
                                                                number back to the receiver after linking. We refer to these
                                                                four bytes as the sensor’s UID.

                                                                Verifying UID to Serial Number Translation. We
                                                                attempted to verify that the iPod translates these identifiers
                                                                to the sensor’s serial number by having our computer act
                                                                as a man-in-the-middle between the receiver and the iPod
                                                                Nano. We further modified the receiver by disconnecting
                                                                the iRXD pin from the receiver board. We then connected
                                                                a second serial port from our computer between the receiver
                                                                and the iRXD pin. This allowed us to listen to iTXD with
                                                                our first serial port, listen to the receiver with our second
                                                                serial port, and repeat what the receiver sends to the iPod
                                                                via iTXD using the transmit on the second serial port. See
                                                                Figure 6. Using this new configuration, we again tried the
                                                                link process; except this time, instead of walking around
Figure 6: Our setup for deriving a serial number                with a sensor, we sent to the iPod a packet consisting of the
from a UID.                                                     bytes 090D0D01, the four bytes corresponding to the UID of
                                                                one of our sensors, and a string of zeros to pad the payload to
                                                                the appropriate length. The iPod returned the correct serial
                                                                number for this sensor. This method therefore appears to
Online third party resources document the iPod accessory        allow one to translate the four-byte identifiers seen in the
serial packet format to be a three byte header, a payload,      packets from the receiver to actual sensor serial numbers.
and a one byte checksum [14]. The first two bytes of the
header are FF55 and the third byte is the size of the payload   Since UIDs appear unique, and since there is a straightfor-
in bytes. We also found that sometimes there are additional     ward way to exploit an existing iPod Nano to map from
00 bytes between the FF and 55 bytes in the header.             UIDs to serial numbers, we will hereafter focus only on the
                                                                UIDs. While we suspect that most adversaries will never
After comparing several traces of the link process with sev-    need to map from UIDs to serial numbers, if an adversary
eral different sensors we noticed that linking seemed to com-   wishes to do so, the adversary could re-implement the steps
plete when the third occurrence of a certain packet came        we describe above.
from the receiver. These packets’ payload started with the
four bytes 090D0D01; however, the next four bytes were
                                                                Controlling the Nike+iPod Receivers Directly. Our
different depending on which sensor we used (for example
Devices That Tell On You: The Nike+iPod Sport Kit
next step was to use the Nike+iPod receiver to listen for
sensor identifiers in an automated fashion without the iPod
Nano. To do this we modified an iPod female connector by
soldering wires from the serial pins on the iPod connector
to our adapter, adjusted the voltage accordingly, and at-
tached 3.3V power to the power pin. We then plugged an
unmodified Nike+iPod receiver into our female connector
and replayed the data that we saw coming from the iPod
when the iPod is turned on and then when the iPod enters
link mode. This process caused the receiver to start sending
packets over the serial connection to our computer with the
identifiers of the broadcasting sensors in range. However,
because our computer never responds to the receiver’s pack-
ets, the link process never ends and the receiver continues to
send to our computer the identifiers of transmitting sensors
until power is removed.                                            Figure 7: Our Nike+iPod receiver to USB adaptor.

3.   MEASUREMENTS
In this section we discuss our preliminary measurements of:
when a sensor transmits; how often it transmits; the range at
which the receiver hears the sensor; and the collision behav-
ior of multiple sensors. For this exploration, we are only in-
terested in the unique identifier transmitted by each sensor.
We do not investigate the “payload” of the sensor packets.

As described in the documentation of the Nike+iPod Sport
Kit, when the sensor is still, it is “sleeping” to save battery.
When one begins to walk or run with the sensor in their shoe,
the sensor begins transmitting. It is also possible to wake
up the sensor without putting it in a shoe. For example,
shaking the sensor while still in the sealed package from the
                                                                   Figure 8: A screenshot of our Nike+iPod Serial
store will cause it to transmit its UID. Sensors can also be
                                                                   Communication Tool.
awakened by tapping them against a hard surface or shaking
them sharply. Similarly, if a sensor is in the pocket of one’s
pants, backpack, or purse, it will wake up occasionally. Once      a receiver attached to an iPod, a second receiver can detect
walking, running, shaking, and the likes ceases, the sensor        the sensor transmitting its UID. This situation is natural
goes to sleep after approximately ten seconds.                     since the sensor can only transmit information; the sensor
                                                                   does not have receive capabilities.
While the sensor is awake and nearby we observed it trans-
mit one packet every second (containing the UID). When the         4. INSTRUMENTING ATTACKS
sensor is more distant or around a corner the receiver heard       We now describe our systems for exploiting the design of the
packets intermittently, but still on second intervals. When        Nike+iPod Sport Kit.
multiple sensors are awake near one another some packets
get corrupted (their checksums do not match). As the num-
ber of awake sensors increase so does the number of corrupt        4.1 Receiver to USB Adaptor
packet. However, our tests with seven sensors indicated the        We created a compact USB receiver module for detecting
receiver still hears every sensor UID at least once in a ten       Nike+iPod sensor UIDs. Our module does not require any
second window.                                                     modification to the Nike+iPod receiver; see Figure 7. Our
                                                                   USB module consists of a female iPod connector [15] and a
                                                                   serial-to-USB board utilizing the FTDI FT2232C chipset [7].
From examining the Nike+iPod receiver’s components, as             We connected the three serial pins and the 3.3V power pin of
shown in Figure 4, we surmise that the Nike+iPod Sport             the iPod connector to the appropriate pins of the FT2232C.
Kit uses the ANT wireless radio and protocol. ANT radios           When this module is connected to a computer via USB,
generally have a range of 1–30 meters [1]. During our ex-          the receiver is then powered and a USB serial port is made
periments with the Nike+iPod sensors we observed approx-           available for our software to communicate with the receiver.
imately a 10 meter range indoors and a 10–20 meter range           With the receiver attached, this package is approximately
outdoors. Sensors are also detectable while moving quickly.        3cm x 3cm x 2cm.
Running by a receiver at approximately 10 MPH, the sen-
sor is reliably received. Driving by someone walking with a        4.2 Nike+iPod Serial Communication Tool
sensor in their shoe, the sensor can be reliably detected at       Our Nike+iPod Serial Communication Tool provides sup-
30 MPH. We have not tested faster speeds.                          port for: logging serial traces on up to two serial ports si-
                                                                   multaneously; sending Nike+iPod receiver initialization and
When someone is engaged in a workout with a sensor using           link commands; logging Nike+iPod receiver serial data at
Devices That Tell On You: The Nike+iPod Sport Kit
the packet level (including checksum verification); and log-
ging what sensors have been seen and when. See Figure 8.
Logs for multiple serial port traces are interleaved so that
one may see the data exchange or protocol of two devices
(in our case, the iPod and the receiver).

Our tool also provides a graphical interface for: sending and
receiving binary data in hex format over up to two serial
ports; viewing hex and ASCII representation of incoming
packets; and viewing what sensors have been seen and when
new packets for those sensors arrive. Our sensor visualiza-
tion consists of a blue rectangle for each seen sensor with
its UID in hex and the last time it was seen. Each time
the sensor is seen the box for that sensor becomes red and
slowly becomes blue (from top to bottom) over the follow-
ing five seconds. This allows one to get a sense of which
awake sensors are in range and how many of their packets
are arriving uncorrupted.

Optionally, our tool can take a picture whenever a new sen-
sor is discovered using most USB cameras and make that
photo the background of the blue box in the sensor visual-
ization. This application can also serve as a data collection
node in a larger surveillance network. To support this task,
the tool can upload to a SQL server sensor events including
UID, optional photo, timestamp, latitude, and longitude.        Figure 9: A Microsoft SPOT Watch receiving
(Latitude and longitude are currently set manually by the       Nike+iPod sensor IDs from an iMote2 over wireless
user; one could, however, imagine linking a bluetooth GPS       bluetooth.
receiver so that a mobile receiver on a car or bike could do
accurate data collection.)
                                                                on his or her watch. See Figure 9.
The tool can also SMS or email sensor information to users.
This tool is implemented in approximately 2000 lines of C#      The sensor events logged to file can also be manually up-
and XAML on Microsoft .NET 3.0 for Microsoft Windows            loaded to a central server for aggregation with sensor infor-
XP or later.                                                    mation from the Serial Communication Tool. A straight-
                                                                forward extension to this device would be for the iMote2
4.3 Intel Motes                                                 to obtain real-time location information from a bluetooth
In addition to our serial communication tool for Windows we     GPS sensor; this would enable an attacker to collect accu-
have also created an embedded module for logging and track-     rate sensor location information while the attacker is mo-
ing Nike+iPod sensors using version 2 of the Intel Motes        bile. Another straightforward extension would be to create
(iMote2). This module consists of an iMote2, an unmodified      a large, distributed surveillance sensor network consisting of
Nike+iPod receiver, female iPod connector, and an iMote2        multiple iMote2 nodes, and to upload surveillance data in
utility daughter board with bluetooth. The assembled pack-      real-time to some central SQL server. Rather than imple-
age is 5cm x 3.8cm x 2.5cm, weighs 2.3 ounces, and has a        ment this latter capability in our iMote2s, we do so with our
storage capacity of 2GB via a Mini Secure Digital card.         gumstix in Section 4.4.

The iMote2 runs the Linux operating system and our soft-        4.4 Gumstixs
ware is written in C. The iMote2 communicates with the          We have also implemented a cheap Nike+iPod surveillance
receiver using a serial port. On boot, the iMote2 sends ini-    device using the Linux-based gumstix computers. This mod-
tialization and link commands to the receiver and begins        ule consists of an unmodified $29 Nike+iPod receiver, a $109
logging sensor events to a file. Optionally, the software can   gumstix connex 200xm motherboard, a $79 wifistix, a $27.50
turn on an LED when the iMote2 detects that one or more         gumstix breakout board, and a $2.95 female iPod connector.
prespecified sensors are nearby. The set of target sensors is   The assembled package is 8cm x 2.1cm x 1.3cm and weighs
specified in a configuration file. One can imagine using the    1.1 ounces; see Figure 10.
LED-based alarm as a discrete mechanism for visually noti-
fying a user when a target victim’s sensor is nearby. There     Our gumstix-based module runs the same surveillance soft-
are obvious audio (buzzer) and physical (vibrate) extensions.   ware that our iMote2s run, except that (1) the software on
                                                                the gumstix module uses WiFi to wirelessly transmit real-
We have instrumented our iMote2 to communicate the UIDs         time surveillance data to a centralized back-end server and
of sensors in range to a Microsoft SPOT Watch over blue-        (2) our gumstixs do not pair with a Microsoft SPOT Watch.
tooth. Using our system, an adversary could put the iMote2      The real-time reporting capability allows the gumstix mod-
and receiver in his or her backpack, purse, or pocket, and      ule to be part of a larger real-time surveillance system. If an
still continuously monitor information about nearby sensors     adversary does not need this real-time capability, then the
Devices That Tell On You: The Nike+iPod Sport Kit
Figure 11: A screenshot of our GoogleMaps-based
                                                                surveillance web application.
Figure 10: A gumstix-based Nike+iPod surveillance
device with WiFi wireless capabilities.
                                                                To illustrate the power of aggregating sensor information
adversary can reduce the cost of this module by omitting        from multiple physical locations, we created a GoogleMaps-
the wifistix.                                                   based web application. Our web application uses and dis-
                                                                plays the sensor event data uploaded to a central SQL server
                                                                from multiple data sources. Currently, the data sources
4.5 Exploiting the iPod                                         may be our Serial Communication Tool, iMote2 applica-
Using off the shelf hardware, we created another surveillance   tion, gumstix application, or iPod Linux application. See
device that requires little hardware modification to log and    Figure 11.
view Nike+iPod sensor activity. We used a desktop com-
puter to install iPod Linux [18] on a third-generation iPod.    In real-time mode, sensors’ UIDs are overlayed in hex on a
We then recompiled our iMote2 logging software using the        GoogleMaps map at the location the sensor is seen. When
iPod Linux toolchain. The only hardware modification is         the sensor is no longer present at that location, the UID
that the serial send and receive lines on the remote control    disappears. Optionally, digital pictures taken by a laptop
port at the top of the iPod must be connected to the serial     when the sensor is first seen can be overlayed instead of
lines at the bottom of the iPod in the dock connector. This     the UID. Currently, the Serial Communication Tool and the
can be achieved with a dock connector break-out board [16].     gumstixs can upload data in real-time, but it is also possible
The breakout board allows one to plug in the Nike+iPod re-      to create a network of multiple iMote2 nodes that are also
ceiver (or any iPod accessory) to the iPod though the break-    capable of uploading data to the server in real-time. In
out board while exposing all of the connector pins, including   history mode, the web application allows the user to select
serial send and receive, for soldering.                         a timespan and show all sensors recorded in that timespan.
                                                                For example, one could select the timespan between noon
Running our application under iPod Linux with the receiver      and 6pm on a given day; all sensors seen that afternoon will
plugged into the iPod, we can now display on the screen         be overlayed on the map at the appropriate location.
of the iPod what sensors are nearby and log sensor events
(UID and timestamp) to the harddrive of the iPod for later      This application would allow many individuals to track peo-
synchronization with a central database. This allows an         ple of interest. An attacker might also use this tool to estab-
attacker to use an older third-generation iPod as a surveil-    lish patterns of presence. If many attackers with receivers
lance device; the older iPod can be obtained at a discount      cooperated, this software and website would allow the track-
from places like eBay. A natural extension of this applica-     ing and correlation of many people with sensors.
tion would be to use a text-to-speech software package so
that one can wear headphones connected to the iPod and
be notified by audio of what Nike+iPod sensors or people        5. EXAMPLE SCENARIOS
are nearby.                                                     Having described our basic attack tools in Section 4, we are
                                                                now in a position to discuss how one might use or refine
If the iPod Linux community figures out how to use the          our attack tools for particular surveillance and adversarial
serial port in the dock connector of the third-generation       applications. We do not intend for the following to be an
iPod, or any other iPod with a dock connector running iPod      exhaustive list of all possible attack scenarios. Rather, the
Linux, an attacker could track Nike+iPod sensors without        goal of the following discussion is to highlight the breadth
any hardware modification at all.                               of the types of scenarios that exist.

4.6 A Distributed Surveillance System
Devices That Tell On You: The Nike+iPod Sport Kit
While the attacker may choose from any of our technolo-          Marvin could also use our GoogleMaps-based surveillance
gies (a laptop running the Serial Communication Tool, an         system to learn the UIDs of the Nike+iPod sensors that are
iMote2, a gumstix, or a third-generation iPod itself), we re-    consistently near Alice, thereby learning information about
fer to the adversary’s equipment generically as a Nike+iPod      Alice’s peers. Marvin could also exploit another feature of
detector.                                                        our surveillance system and look at historical views of the
                                                                 map, thereby allowing Marvin to develop a more complete
The Jealous Boyfriend. Marvin is a jealous boyfriend             understanding of Alice’s daily schedules over time.
who suspects that his girlfriend, Alice, is cheating on him
with his best friend Bob. Alice wears Nike+ shoes and uses       The Stalker. We refer the reader to Section 1 for further
a Nike+iPod Sport Kit. We assume that Marvin knows the           discussions about stalking and, in particular, for a discus-
UID of the Nike+iPod sensor in Alice’s shoe; Marvin could        sion of how a stalker might exploit a distributed surveillance
easily learn this UID by, for example, shaking Alice’s shoe in   system.
front of a Nike+iPod detector or by turning his Nike+iPod
detector on while walking Alice to her car. Alternately, sup-    The Professional Thief. Unlike Marvin, who targets only
pose that, unbeknownst to Alice, Marvin maliciously im-          a signal individual, the professional thief might be inter-
plants a Nike+iPod sensor in one of Alice’s shoes, or hides      ested in targeting any person bearing a certain profile or
a sensor in Alice’s jacket or purse.                             with certain schedules, such as a person who is not at home
                                                                 during certain times of the day. Currently, a thief might
If Marvin is able to place a Nike+iPod detector near Bob’s       visually case homes for robbery; however, doing so is time
house, then Marvin will be able to infer whether Alice vis-      consuming and conspicuous. Unfortunately, a Nike+iPod-
ited Bob, and for how long. We stress that, rather than          based distributed surveillance system, like the one we de-
deploy our full prototype surveillance system, for this appli-   scribe in Section 4.6, would enable a professional thief to
cation Marvin may only need a single Windows XP laptop           monitor many people simultaneously, until he determines
or palmtop running our Serial Communication Tool, a sin-         which victim or victims to focus on.
gle Intel Mote, a single gumstix, or a single third-generation
iPod.
                                                                 The Unethical Organization. An unethical organization
If Marvin knows that Bob also regularly wears his Nike+          could use a distributed Nike+iPod-based surveillance system
shoes, and if Marvin knows the UID of Bob’s Nike+iPod            to track their members, or the members of a competitor or-
sensor, then Marvin could place a Nike+iPod detector near        ganization. As an example of the former, an organization
Alice’s home, thereby allowing Marvin to infer how regularly     might employ a Nike+iPod-based surveillance system to de-
Bob (or anyone else with Nike+ shoes and a Nike+iPod             termine whether its members attend the other organization’s
sensor) visits Alice. As a final twist to this example, Marvin   rallies, events, or offices. As an example of the latter, rather
could also deploy a Nike+iPod sensor on Alice’s preferred        than hire a large number of private investigators, the first
jogging path, with the goal of inferring whether Alice is        organization could place Nike+iPod detectors near all of its
starting to acquire a new jogging partner.                       competitor’s homes, as well as near questionable venues on
                                                                 the wrong side of town. After cheaply performing such a
While we leave to the reader’s imagination what Marvin           broad initial surveillance step, the first organization could
might do with the information he gains from implementing         now hire one or two private investigators to follow the indi-
any of these attacks, it should be clear that these attacks      viduals that likely participate in blackmailable activities.
compromise Alice’s privacy.
                                                                 Customer Tracking. Companies could use the Nike+iPod
The Ex-Boyfriend. After realizing that Marvin is no good         sensors to track customers throughout their stores and over
for her, Alice has chosen to terminate their relationship.       multiple visits. For example, a store could create a binding
Unable to handle rejection, Marvin is committed to finding       between the consumer’s Nike+iPod sensor’s UID and the
ways to keep bumping into Alice.                                 customer’s purchasing history (as derived through loyalty
                                                                 programs or credit card numbers). Then, the next time the
In order to track Alice, Marvin might deploy a distributed       customer enters the store, the store attendants could imme-
surveillance system like the one we describe in Section 4.6.     diately know the types of purchases the customer might be
Namely, Marvin might place Nike+iPod detectors at key lo-        interested in making and target the sales pitch accordingly.
cations on campus, including in front of the library, the gym,
the dorms, and the student union, as well as at key loca-        As background, we remark that there have been several
tions off campus, such as Alice’s place of employment, and       high-profile examples of stores (neither Apple nor Nike) vi-
Alice’s home. By viewing the GoogleMaps-based website,           olating customers’ privacy by embedding RFID tags in con-
Marvin can at any time detect whether Alice is currently         sumer products and then observing customer handling those
near one of his deployed Nike+iPod detectors or when she         tagged objects [8, 24, 29].
was last detected. Marvin can then “coincidentally” find
himself bumping into Alice near that location. Rather than       Muggers. Since iPod Nanos are attractive to thieves, and
finding Alice’s location by looking at the GoogleMaps-based      since owners of iPod Nanos might have other attractive gad-
website, Marvin could also configure the surveillance system     gets on them, muggers could benefit from knowing whether
to send him an email message or an SMS text message when         a potential victim might be in possession of an iPod Nano.
Alice enters the receive range of a surveillance node.           Indeed, following a string of muggings in Manhattan tar-
Devices That Tell On You: The Nike+iPod Sport Kit
geting owners of iPods, New York University students were          importance of untrackability, major companies are still in-
advised to not wear the tell-tale white ear-buds commonly          troducing popular new technologies without strong privacy
associated with iPods [2, 9].                                      guards.

Our results show that even if a person does not wear the tell-     We consider this situation unfortunate since in many cases
tale ear-buds, a mugger can detect whether a person might          it is technically possible to significantly improve consumer
be in possession of an iPod by deploying a Nike+iPod detec-        privacy. Consider, for example, the typical usage scenario
tor (under the assumption that if a person is wearing a shoe       for the Nike+iPod Sport Kit. In the common case, we ex-
with a Nike+iPod sensor, then that person might be in pos-         pect that once a user purchases a Nike+iPod Sport Kit, he
session of an iPod, even if he or she is not actively using it).   or she will rarely use the sensor from that kit with the re-
In more detail, the mugger could use a generic Nike+iPod           ceiver from a different kit. This means that the sensor and
detector to determine whether a Nike+iPod sensor is nearby.        the receiver could have been pre-programmed at the factory
If there are multiple people in the vicinity, the mugger could     with a shared secret cryptographic key. By having the sen-
localize on the particular victim by using a directional an-       sor encrypt each broadcast message with this shared key,
tenna.                                                             the Nike+iPod designers could have addressed most of our
                                                                   privacy concerns about the Nike+iPod application protocol;
While one might initially suspect that the above attack may        there may still be information leakage through the under-
be beyond the technical capabilities of most muggers, we           lying radio hardware, which could be dealt with separately.
disagree. First, although cumbersome for the mugger, the           If Apple and Nike decide that a sensor from one kit should
mugger could actually implement a crude version of this at-        be used with the receiver from a separate kit, then several
tack using a standard iPod Nano, a standard Nike+iPod              options still remain. For example, under the assumption
receiver, and the standard user interface and linking process      that one will only rarely want to use a sensor from one kit
to detect whether a Nike+iPod sensor is nearby. Second,            with a receiver from another, the cryptographic key could be
we believe that some of our methods for automating an at-          written on the backs of the sensors, and a user could man-
tack require only minimal technical sophistication, provided       ually enter that key into their iPods or computers before
that someone else makes the software for the attack avail-         using that new sensor. Alternately, the sensor could have a
able on the Internet. Moreover, we observe that a group            special button on it that, when pressed, causes the sensor
of criminals working together would only need a single in-         to actually broadcasts a cryptographic key for some short
dividual with the appropriate technical capabilities, or the       duration of time.
means to purchase those capabilities. Lastly, if in the fu-
ture there are many more Nike+iPod-like devices that fail          In a bit more technical detail, assume that both the sen-
to provide strong privacy properties, there may be addi-           sor and the receiver in a Nike+iPod Sport Kit are pre-
tional motivation for criminals to acquire the appropriate         programmed with the same shared 128-bit cryptographic
gadget-detecting technologies.                                     key K. One design approach would be for the sensor to
                                                                   pre-generate a new pseudorandom 128-bit value X during
Combining Tracking Technologies. It is possible to                 the one-second idle time between broadcasts. Although the
combine our Nike+iPod based surveillance techniques with           sensor could generate X using physical processes, we suggest
other techniques, thereby creating more complete profiles of       generating X by using AES in CTR mode with a second,
people and further eroding their privacy. For example, it is       non-shared 128-bit AES key K ′ . Also during this one-second
possible to incorporate the surveillance of discoverable blue-     idle time between broadcast, the sensor could pre-generate
tooth devices into our prototype surveillance system. By           a keystream S using AES in CTR mode, this time with the
binding Nike+iPod sensors to bluetooth devices, an adver-          initial counter X and the shared key K. Finally, when the
sary can now track individuals even if they are only carry-        sensor wishes to send a message M to the corresponding re-
ing one of those devices. Perhaps, even worse, the sometimes       ceiver, the sensor would actually send the pair (X, M ⊕ S),
discoverable bluetooth devices could give a meaningful name        where “⊕” denotes the exclusive-or operation. Upon receiv-
to the often transmitting Nike+iPod sensor. While our pro-         ing a message (X, Y ), the receiver would re-generate S from
totype Serial Communications Tool is capable of taking pho-        X and the shared key K, recover M as Y ⊕ S, and then ac-
tographs when it detects a sensor enter into range, one could      cept M as coming from the paired sensor if M contains the
employ more sophisticated computer vision, as well as face,        desired UID. While it is rather straightforward to argue that
gait, or license plate recognition techniques, to extract fur-     this construction provides privacy at the application level
ther information from these pictures and build broader pro-        against passive adversaries (by leveraging Bellare et al.’s [3]
files of individuals. If an attacker can place his or her device   provable security results for CTR mode encryption), we do
close enough to an individual, an attacker could also bind         acknowledge that this construction may not fully provide all
a person’s Nike+iPod sensor data to the individual’s RFID          desired target security properties against active adversaries.
credit card information [11], passport information [20], or        Also, there may be some identifying information transmitted
library book information [25].                                     by the radio hardware in the Nike+iPod sensor. Further-
                                                                   more, we acknowledge that there are ways of optimizing the
                                                                   approach outlined above, and that the above approach may
                                                                   affect the battery life, manufacturing costs, and usability
6.   DISCUSSION
                                                                   of the Nike+iPod Sport Kit. Nevertheless, this discussion
One of the key contributions of this work is to highlight
                                                                   clearly shows that it is possible to significantly improve upon
the fact that, despite broad public awareness of the pri-
                                                                   the privacy properties of the current Nike+iPod Sport Kits.
vacy concerns with RFID tags and discoverable bluetooth
devices, and even despite some industry awareness of the
Other Devices. The reader might ask why it is impor-               possible to significantly improve the privacy of some devices
tant for new technologies to protect consumer privacy when         (e.g., our changes to the Nike+iPod protocol in Section 6),
existing technologies, like traditional RFIDs and discover-        there are still fundamental open research questions to ad-
able bluetooth devices, may not. Our opinion is that if one        dress.
adopts such a belief system, then one has already conceded
to an eventual loss of control of one’s personal privacy. We       8. CONCLUSIONS
believe that protecting consumer privacy is critical, as exem-     As personal sensing devices begin to pervade our daily lives,
plified in part by the example scenarios in Section 5. There-      it becomes increasingly important for our gadgets to pre-
fore, rather than concede defeat, our hope is that the com-        serve privacy. Despite historic consumer concerns and pre-
puter science research community and industry partners will        vious literature on potential privacy issues, our results show
work even more closely together to proactively understand          that companies continue to release devices that do not pro-
and address the privacy of portable consumer products, both        vide strong privacy guarantees. Since privacy failures with
by ensuring that new technologies do not further erode our         these devices can have serious consequences, including com-
privacy, and by working to retroactively improve the privacy       promises to personal safety, we hope that this work will
of existing technologies.                                          motivate industry and research partners to further pursue
                                                                   proactive measures of ensuring consumer privacy.
Is an On-Off Switch Enough? Another natural question
to ask is whether a sufficient privacy-protection mechanism        9. ACKNOWLEDGEMENTS
might simply be to place on-off switches directly on all mo-       We thank Yaw Anokwa, Kate Everitt, Kevin Fu, Ed La-
bile personal devices, like the Nike+iPod Sport Kit sensors.       zowska, David Molnar, Lincoln Ritter, Avi Rubin, Jason
We do not believe this proposal to be sufficient for several       Schultz, Adam Stubblefield, Dan Wallach, and David Wether-
reasons. First, this approach by itself will not protect con-      all.
sumers’ privacy while the devices are in operation. Second,
we believe that it is unrealistic to assume that most users
will actually turn their devices off when not in use, especially
                                                                   10. REFERENCES
                                                                    [1] ANT comparison sheet.
as the number of such personal devices increases over time.
                                                                        http://www.thisisant.com/index.php?section=36.
To further support our belief, we quote from the Nike+iPod
online documentation: “most Nike+iPod runners and walk-             [2] AppleInsider. NYU Warns Students Against Wearing
ers can just drop the sensor in their Nike+ shoes and forget            iPod Earbuds, 2005.
about it [26].” This quote suggests that Apple and Nike                 http://www.appleinsider.com/article.php?id=930.
have already realized that, given the choice between sim-
plicity (not using the on-off switch) and cost (not consuming       [3] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A
energy from the battery when not working out), consumers                concrete security treatment of symmetric encryption.
would choose simplicity. Unfortunately, making or following             In Proceedings of the 38th Annual Symposium on
this recommendation also favors simplicity over privacy and             Foundations of Computer Science, pages 394–403.
personal safety. (As a slight aside, we remark that assuming            IEEE Computer Society Press, 1997.
that all users will turn off all their mobile devices when not
                                                                    [4] BlueTags to install world’s first Bluetooth tracking
in use is somewhat akin to assuming that all users will choose
                                                                        system, 2003. http://www.geekzone.co.nz/content.
strong passwords without external prompting, an assump-
                                                                        asp?contentid=1070.
tion which folklore knowledge suggests to be unreasonable
in practice.)                                                       [5] Braces – A Bluetooth Tracking Utility.
                                                                        http://braces.shmoo.com/.

7.   RELATED WORK                                                   [6] J. Collins. Lost and Found in Legoland, RFID
There is an immense body of related work; we only pro-                  Journal, 2004. http://www.rfidjournal.com/
vide a brief survey here. Most closely related to this pa-              article/articleview/921/1/1/.
per are the research results highlighting potential privacy         [7] FT2232C Dual USB UARF/FIFO IC.
concerns with RFID tags (e.g., [20, 25]) and discoverable               http://www.ftdichip.com/Products/FT2232C.htm.
bluetooth devices (e.g., [19]), as well as many popular press
articles on the subject (e.g., [8, 24, 29]). Moreover, others       [8] A. Gilbert. ‘Secret’ RFID test draws consumer ire,
have created bluetooth- and WiFi-based tracking systems                 ZDNet.co.uk, 2003. http://news.zdnet.co.uk/
for research, demonstration, or commercial purposes (e.g.,              emergingtech/0,1000000183,39117924,00.htm.
[4, 5, 6, 10, 23, 27, 28]). We are, however, unaware of any
other location-based surveillance system that goes as far as        [9] gothamist. Gang of iPod Thieves Arrested, 2005.
plotting subjects’ locations on a map in real-time. Further             http://www.gothamist.com/archives/2005/09/09/
afield, there has been significant research on face recognition         gang of ipod thieves arrested.php.
and gait recognition; see [12] for a survey.                       [10] M. Haase and M. Handy. BlueTrack – Imperceptible
                                                                        tracking of bluetooth devices. In Ubicomp Poster
On the defensive side, researchers have proposed a blocker              Proceedings, 2004.
tag for helping protect the privacy of RFID devices [21], as
well as algorithmic changes to portions of the RFID commu-         [11] T. S. Heydt-Benjamin, D. V. Bailey, K. Fu, A. Juels,
nication protocols (e.g., [22, 25]) and other wireless protocols        and T. O’Hare. Vulnerabilities in first-generation
(e.g., [13, 30]). Despite these advances, and although it is            RFID-enabled credit cards, 2006. Manuscript.
[12] W. Hu, T. Tan, L. Wang, and S. Maybank. A survey
     on visual surveillance of object motion and behaviors.
     In IEEE Transactions on Systems, Man, and
     Cybernetics, August 2004.
[13] Y.-C. Hu and H. J. Wang. A framework for location
     privacy in wireless networks. In ACM SIGCOMM
     Asia Workshop, 2005.
[14] iPod 3G Accessory Protocol. http://stud3.tuwien.
     ac.at/∼e0026607/ipod remote/ipod ap.html.
[15] iPod Connector Female SMD. http://www.sparkfun.
     com/commerce/product info.php?products id=8035.
[16] iPod Dock Connector.
     http://home.swipnet.se/ridax/connector.htm.
[17] iPod Linux. http://ipodlinux.org/Dock Connector.
[18] iPod Linux. http://ipodlinux.org.
[19] M. Jakobsson and S. Wetzel. Security weaknesses in
     bluetooth. In 2001 Conference on Topics in
     Cryptography, 2001.
[20] A. Juels, D. Molnar, and D. Wagner. Security and
     privacy issues in e-passports. In IEEE SecureComm,
     2005.
[21] A. Juels, R. Rivest, and M. Szydlo. The blocker tag:
     Selective blocking of rfid tags for consumer privacy. In
     10th Annual ACM CCS, 2003.
[22] A. Juels and S. Weis. Authenticating pervasive devices
     with human protocols. In 25th Annual International
     Cryptography Conference, August 2005.
[23] Loca – About Loca. http://www.loca-lab.org/.
[24] A. McCue. Privacy Groups Protest RFID Tagging of
     Razors, ZDNet.co.uk, 2003. http://news.zdnet.co.
     uk/emergingtech/0,1000000183,39115718,00.htm.
[25] D. Molnar and D. Wagner. Privacy and security in
     library RFID issues, practices, and architectures. In
     11th ACM Conference on Computer and
     Communications Security (CCS 2004), 2004.
[26] Nike + iPod Frequently Asked Questions (Technical).
     http://docs.info.apple.com/article.html?
     artnum=303934. Last accessed on November 12, 2006.
[27] E. O’Neill, V. Kostakos, T. Kindberg, A. F. gen.
     Schieck, A. Penn, D. S. Fraser, and T. Jones.
     Instrumenting the city: Developing methods for
     observing and understanding the digital cityscape. In
     Ubicomp, 2006.
[28] M. Pels, J. Barhorst, M. Michels, R. Hobo, and
     J. Barendse. Tracking people using bluetooth:
     Implications of enabling bluetooth discoverable mode,
     2005. Manuscript.
[29] Radio Frequency Identification – Wikipedia.
     http://en.wikipedia.org/wiki/RFID.
[30] F.-L. Wong and F. Stajano. Location privacy in
     bluetooth. In 2nd European Workshop on Security and
     Privacy in Ad hoc and Sensor Networks, 2005.
You can also read